Bug 3652 - User belongs to many groups
Summary: User belongs to many groups
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.21c
Hardware: Other Linux
: P3 major
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-03 06:56 UTC by Bruno Guerreiro
Modified: 2006-04-06 04:00 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bruno Guerreiro 2006-04-03 06:56:28 UTC
When a user belongs to an high number of groups (>65), he is unable to logon to the domain, and causes a Panic in Samba.
Using ldap backend (openldap-2.2.13-2) in a FC2 with 2.6.10-1.770_FC2 Glibc 2.3.3. ( but happens with other combinations also)
This also happens with latest samba version 3.0.22.
  ===============================================================
[2006/04/02 20:18:56, 0] lib/fault.c:fault_report(37)
  INTERNAL ERROR: Signal 11 in pid 3504 (3.0.22)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/04/02 20:18:56, 0] lib/fault.c:fault_report(39)

  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/04/02 20:18:56, 0] lib/fault.c:fault_report(40)
  ===============================================================
[2006/04/02 20:18:56, 0] lib/util.c:smb_panic2(1554)
  PANIC: internal error
[2006/04/02 20:18:56, 0] lib/util.c:smb_panic2(1562)
  BACKTRACE: 37 stack frames:
   #0 smbd(smb_panic2+0x120) [0x808c10]
   #1 smbd(smb_panic+0x28) [0x808ae8]
   #2 smbd [0x7f2a77]
   #3 /lib/tls/libc.so.6 [0x43af48]
   #4 /lib/tls/libc.so.6(__libc_free+0x8b) [0x47672b]
   #5 /lib/tls/libc.so.6(initgroups+0x16f) [0x497bdf]
   #6 smbd [0x7e3634]
   #7 smbd [0x7e3835]
   #8 smbd [0x7e39a4]
   #9 smbd(pdb_default_enum_group_memberships+0x34) [0x7e3b24]
   #10 smbd [0x7d3010]
   #11 smbd [0x7c3f30]
   #12 smbd(pdb_enum_group_memberships+0x4e) [0x7c602e]
   #13 smbd [0x84be01]
   #14 smbd [0x84bf7a]
   #15 smbd(make_server_info_sam+0x16c) [0x84c2cc]
   #16 smbd [0x8469db]
   #17 smbd [0x846d1e]
   #18 smbd [0x843d82]
   #19 smbd(_net_sam_logon+0xce1) [0x718d11]
   #20 smbd [0x715fab]
   #21 smbd(api_rpcTNP+0x18a) [0x76132a]
   #22 smbd(api_pipe_request+0xfa) [0x7610aa]
   #23 smbd [0x759792]
   #24 smbd [0x7599f0]
   #25 smbd [0x75a0e8]
   #26 smbd [0x75a3b6]
   #27 smbd(write_to_pipe+0x127) [0x75a2e7]
   #28 smbd(reply_pipe_write_and_X+0x139) [0x678bc9]
   #29 smbd(reply_write_and_X+0x43d) [0x6812ad]
   #30 smbd [0x6b7fc4]
   #31 smbd [0x6b8223]
   #32 smbd(process_smb+0xa4) [0x6b8474]
   #33 smbd(smbd_process+0x17d) [0x6b94fd]
   #34 smbd(main+0x591) [0x8a5931]
   #35 /lib/tls/libc.so.6(__libc_start_main+0xe4) [0x428ad4]
   #36 smbd [0x64c102]
Comment 1 Volker Lendecke 2006-04-03 09:50:04 UTC
this very much sounds like a glibc problem. Can you try to 'su -' to that user? Does that work?
 
Volker
Comment 2 Bruno Guerreiro 2006-04-03 10:20:28 UTC
With
[root@lnxvm root]# groups user.name
user.name : Domain Users AR-INF-AdmPub AR-INF-ARQUIVO AR-INF-IEH AR-INF-XST AI-IUTICE AR-LSB-DRI_Blaise AR-LSB-DRI_G_Respondente AR-LSB-DRI_Spis AR-LSB-DRI_Webinq AR-LSB-G_Amostras DI-LSB-Bombeiros DI-LSB-Cinema DI-LSB-ECPC DI-LSB-Galerias DI-LSB-Hindustria DI-LSB-IEGPA DI-LSB-IUTIC_E DI-LSB-IUTIC_H DI-LSB-IUTICE DI-LSB-La DI-LSB-Museus DI-LSB-ONGA DI-LSB-PubPer DI-LSB-Recintos DI-LSB-SIGIM DI-EVR-Bombeiros DI-EVR-Cinema DI-EVR-EspVivo DI-EVR-Galerias DI-EVR-Hindustria DI-EVR-La DI-EVR-Museus DI-EVR-ONGA DI-EVR-PubPer DI-EVR-Recintos DI-EVR-SIGIM OR-DRI.MSR AI-IEH AR-LSB-DRI_IE_FolhasObra DI-LSB-Hospitais DI-LSB-IPSS DI-LSB-SocMutuos DI-LSB-XST AI-AssPatronais AI-Bibliotecas AI-Bombeiros AI-Cinema AI-EspVivo AI-Galerias AI-Hospitais AI-ICT AI-IPSS AI-Museus AI-ONGA AI-PubPer AI-Recintos AI-SIGIM AI-SocMutuos AI-IUTIC_E AI-IUTICE-J DI-INF-IEH DI-LSB-IUTICE-J AR-LSB-DRI_IE_DOC_TECNICA-RO AR-LSB-DRI_MSR_GESTAO AR-LSB-DRI_RD_FICHAS AR-LSB-DRI_MSR_FONTES DI-LSB-IEH DI-LSB-PGRESP AI-PGRESP DI-EVR-PGRESP DI-EVR-XST AI-XST

Su'ing:
[root@lnxvm root]# su - user.name
[root@lnxvm root]# whoami
root

In /var/log/messages:
Apr  2 23:52:34 lnxvm su(pam_unix)[3160]: session opened for user user.name
by root(uid=0)
Apr  2 23:52:34 lnxvm su[3163]: nss_ldap: could not get LDAP result - Can't contact LDAP server
Apr  2 23:52:34 lnxvm su(pam_unix)[3160]: session closed for user user.name

[root@lnxvm root]# service ldap status
slapd (pid 3155) is running...
[root@lnxvm root]#
Comment 3 Volker Lendecke 2006-04-03 10:36:44 UTC
So su - user.name failed. Just to make sure: Can you take that user out of a couple of groups and see if it works then? If it does, then this is not a Samba but a libc problem.

Another reason for su - failing is to have for example /bin/false as a login shell.

Thanks,

Volker
Comment 4 Bruno Guerreiro 2006-04-03 10:45:15 UTC
Reducing the number of groups the user belongs to "fixes" the issue. So, next step would be to update Glibc.
And if problem persists? Any advice?

TIA.
Bruno Guerreiro
Comment 5 Volker Lendecke 2006-04-03 10:50:03 UTC
If the problem persists, re-open the bug :-)

Volker
Comment 6 Bruno Guerreiro 2006-04-06 04:00:48 UTC
(In reply to comment #5)
> If the problem persists, re-open the bug :-)
> 
> Volker
> 
No need to re-open.
INFO: The problem was nss_ldap. Upgrading it solved the issue.